From 29605ef50739c0606b8543ae3f5f2d45347beba5 Mon Sep 17 00:00:00 2001 From: qsw333 Date: Tue, 7 Nov 2023 17:22:07 +0800 Subject: [PATCH] backport some patches --- ...-buffer-overflow-when-using-a-prefix.patch | 29 ++++++++ ...cumentation-around-CREATE_MAIL_SPOOL.patch | 28 ++++++++ ...port-Address-minor-compiler-warnings.patch | 0 backport-CVE-2013-4235.patch | 34 +++++++++ ...regular-file-pre-exists-in-copy_tree.patch | 0 ...port-Fix-parentheses-in-configure.ac.patch | 27 +++++++ ...e-malformed-lines-in-hushlogins-file.patch | 34 +++++++++ backport-Improve-child-error-handling.patch | 62 ++++++++++++++++ ...nly-free-sgent-if-it-was-initialized.patch | 43 +++++++++++ ...heck-NULL-before-freeing-passwd-data.patch | 70 ++++++++++++++++++ ...minimum-id-check-for-system-accounts.patch | 58 +++++++++++++++ ...ile.in-switch-from-xml2po-to-itstool.patch | 45 ++++++++++++ ...LS-enablement-before-setting-serange.patch | 60 ++++++++++++++++ ...check-if-subid-range-exists-for-user.patch | 39 ++++++++++ shadow.spec | 72 ++++++++++--------- 15 files changed, 567 insertions(+), 34 deletions(-) create mode 100644 backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch create mode 100644 backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch rename backport-Address-minor-complier-warnings.patch => backport-Address-minor-compiler-warnings.patch (100%) create mode 100644 backport-CVE-2013-4235.patch rename backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch => backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch (100%) create mode 100644 backport-Fix-parentheses-in-configure.ac.patch create mode 100644 backport-Handle-malformed-lines-in-hushlogins-file.patch create mode 100644 backport-Improve-child-error-handling.patch create mode 100644 backport-Only-free-sgent-if-it-was-initialized.patch create mode 100644 backport-lib-check-NULL-before-freeing-passwd-data.patch create mode 100644 backport-libmisc-minimum-id-check-for-system-accounts.patch create mode 100644 backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch create mode 100644 backport-useradd-check-MLS-enablement-before-setting-serange.patch create mode 100644 backport-useradd-check-if-subid-range-exists-for-user.patch diff --git a/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch new file mode 100644 index 0000000..76ff976 --- /dev/null +++ b/backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch @@ -0,0 +1,29 @@ +From eaebea55a495a56317ed85e959b3599f73c6bdf2 Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Sun, 23 Oct 2022 18:51:33 -0400 +Subject: [PATCH] useradd: Fix buffer overflow when using a prefix + +The buffer length did not count the string's trailing null byte. + +Signed-off-by: David Michael + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 + +--- + src/useradd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 39a744ee0..7ea0a9c4d 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2372,7 +2372,7 @@ static void create_mail (void) + if (NULL == spool) { + return; + } +- file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 2); ++ file = alloca (strlen (prefix) + strlen (spool) + strlen (user_name) + 3); + if (prefix[0]) + sprintf (file, "%s/%s/%s", prefix, spool, user_name); + else diff --git a/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch b/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch new file mode 100644 index 0000000..8cb1e69 --- /dev/null +++ b/backport-Added-documentation-around-CREATE_MAIL_SPOOL.patch @@ -0,0 +1,28 @@ +From aff4989d1acf3afc718813144658c295d8d10f20 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg +Date: Mon, 20 Sep 2021 20:41:50 -0700 +Subject: [PATCH] Added documentation around CREATE_MAIL_SPOOL + +Adding documentation aroud the parameter CREATE_MAIL_SPOOL in the +/etc/default/useradd file + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/aff4989d1acf3afc718813144658c295d8d10f20 + +--- + man/login.defs.d/MAIL_DIR.xml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/man/login.defs.d/MAIL_DIR.xml b/man/login.defs.d/MAIL_DIR.xml +index 60b82d6b1..b5adb888b 100644 +--- a/man/login.defs.d/MAIL_DIR.xml ++++ b/man/login.defs.d/MAIL_DIR.xml +@@ -35,6 +35,8 @@ + The mail spool directory. This is needed to manipulate the mailbox + when its corresponding user account is modified or deleted. If not + specified, a compile-time default is used. ++ The parameter CREATE_MAIL_SPOOL in /etc/default/useradd ++ determines whether the mail spool should be created. + + + diff --git a/backport-Address-minor-complier-warnings.patch b/backport-Address-minor-compiler-warnings.patch similarity index 100% rename from backport-Address-minor-complier-warnings.patch rename to backport-Address-minor-compiler-warnings.patch diff --git a/backport-CVE-2013-4235.patch b/backport-CVE-2013-4235.patch new file mode 100644 index 0000000..9506bc1 --- /dev/null +++ b/backport-CVE-2013-4235.patch @@ -0,0 +1,34 @@ +From b4472167c2f5057d56686d3349a9b55fc508efe6 Mon Sep 17 00:00:00 2001 +From: ed neville +Date: Fri, 31 Dec 2021 22:40:13 +0000 +Subject: [PATCH] Adding nofollow to opens + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/b4472167c2f5057d56686d3349a9b55fc508efe6 + +--- + libmisc/copydir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libmisc/copydir.c b/libmisc/copydir.c +index f2130bcac..a296d925d 100644 +--- a/libmisc/copydir.c ++++ b/libmisc/copydir.c +@@ -741,7 +741,7 @@ static int copy_file (const char *src, const char *dst, + char buf[1024]; + ssize_t cnt; + +- ifd = open (src, O_RDONLY); ++ ifd = open (src, O_RDONLY|O_NOFOLLOW); + if (ifd < 0) { + return -1; + } +@@ -751,7 +751,7 @@ static int copy_file (const char *src, const char *dst, + return -1; + } + #endif /* WITH_SELINUX */ +- ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC, statp->st_mode & 07777); ++ ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777); + if ( (ofd < 0) + || (fchown_if_needed (ofd, statp, + old_uid, new_uid, old_gid, new_gid) != 0) diff --git a/backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch b/backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch similarity index 100% rename from backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch rename to backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch diff --git a/backport-Fix-parentheses-in-configure.ac.patch b/backport-Fix-parentheses-in-configure.ac.patch new file mode 100644 index 0000000..bf37375 --- /dev/null +++ b/backport-Fix-parentheses-in-configure.ac.patch @@ -0,0 +1,27 @@ +From 049f9a7f6b320c728a6274299041e360381d7cd5 Mon Sep 17 00:00:00 2001 +From: Andy Zaugg +Date: Tue, 21 Sep 2021 21:51:10 -0700 +Subject: [PATCH] Fix parentheses in configure.ac + +Resolving issue https://github.com/shadow-maint/shadow/issues/419 + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/049f9a7f6b320c728a6274299041e360381d7cd5 + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 994836bda..6cbb6bd27 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -345,7 +345,7 @@ if test "$with_sssd" = "yes"; then + [AC_MSG_ERROR([posix_spawn is needed for sssd support])]) + fi + +-AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])]) ++AS_IF([test "$with_su" != "no"], AC_DEFINE(WITH_SU, 1, [Build with su])) + AM_CONDITIONAL([WITH_SU], [test "x$with_su" != "xno"]) + + dnl Check for some functions in libc first, only if not found check for diff --git a/backport-Handle-malformed-lines-in-hushlogins-file.patch b/backport-Handle-malformed-lines-in-hushlogins-file.patch new file mode 100644 index 0000000..49b2d10 --- /dev/null +++ b/backport-Handle-malformed-lines-in-hushlogins-file.patch @@ -0,0 +1,34 @@ +From 63a96706b1205f91c4a57de21ac56e996d270ff1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Fri, 29 Oct 2021 19:44:46 +0200 +Subject: [PATCH] Handle malformed lines in hushlogins file. + +If a line in hushlogins file, e.g. /etc/hushlogins, starts with +'\0', then current code performs an out of boundary write. +If the line lacks a newline at the end, then another character is +overridden. + +With strcspn both cases are solved. + +Signed-off-by: Tobias Stoeckmann + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/63a96706b1205f91c4a57de21ac56e996d270ff1 + +--- + libmisc/hushed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libmisc/hushed.c b/libmisc/hushed.c +index b71b99ce2..3c3adafca 100644 +--- a/libmisc/hushed.c ++++ b/libmisc/hushed.c +@@ -90,7 +90,7 @@ bool hushed (const char *username) + return false; + } + for (found = false; !found && (fgets (buf, (int) sizeof buf, fp) == buf);) { +- buf[strlen (buf) - 1] = '\0'; ++ buf[strcspn (buf, "\n")] = '\0'; + found = (strcmp (buf, pw->pw_shell) == 0) || + (strcmp (buf, pw->pw_name) == 0); + } diff --git a/backport-Improve-child-error-handling.patch b/backport-Improve-child-error-handling.patch new file mode 100644 index 0000000..cdebe8d --- /dev/null +++ b/backport-Improve-child-error-handling.patch @@ -0,0 +1,62 @@ +From 624d57c08caceed306212d24c2147f6273f3fc4b Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 14 Nov 2021 12:01:32 +0100 +Subject: [PATCH] Improve child error handling + +Always set SIGCHLD handler to default, even if the caller of vipw has +set SIGCHLD to ignore. If SIGCHLD is ignored no zombie processes would +be created, which in turn could mean that kill is called with an already +recycled pid. + +Proof of Concept: + +1. Compile nochld: + -- + #include + #include + int main(void) { + char *argv[] = { "vipw", NULL }; + signal(SIGCHLD, SIG_IGN); + execvp("vipw", argv); + return 1; + } + -- +2. Run nochld +3. Suspend child vi, which suspends vipw too: +`kill -STOP childpid` +4. Kill vi: +`kill -9 childpid` +5. You can see with ps that childpid is no zombie but disappeared +6. Bring vipw back into foreground +`fg` + +The kill call sends SIGCONT to "childpid" which in turn could have been +already recycled for another process. + +This is definitely not a vulnerability. It would take super user +operations, at which point an attacker would have already elevated +permissions. + +Signed-off-by: Tobias Stoeckmann + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/624d57c08caceed306212d24c2147f6273f3fc4b + +--- + src/vipw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/vipw.c b/src/vipw.c +index 94185c3df..1a69ef285 100644 +--- a/src/vipw.c ++++ b/src/vipw.c +@@ -349,6 +349,9 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) + sigprocmask(SIG_BLOCK, &mask, &omask); + } + ++ /* set SIGCHLD to default for waitpid */ ++ signal(SIGCHLD, SIG_DFL); ++ + for (;;) { + pid = waitpid (pid, &status, WUNTRACED); + if ((pid != -1) && (WIFSTOPPED (status) != 0)) { diff --git a/backport-Only-free-sgent-if-it-was-initialized.patch b/backport-Only-free-sgent-if-it-was-initialized.patch new file mode 100644 index 0000000..ad29342 --- /dev/null +++ b/backport-Only-free-sgent-if-it-was-initialized.patch @@ -0,0 +1,43 @@ +From 117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 Mon Sep 17 00:00:00 2001 +From: Michael Vetter +Date: Mon, 20 Sep 2021 11:04:50 +0200 +Subject: [PATCH] Only free sgent if it was initialized + +`sgent` is only initialized in `get_group()` if `is_shadowgrp` is true. +So we should also only attempt to free it if this is actually the case. + +Can otherwise lead to: +``` +free() double free detected in tcache 2 (gpasswd) +``` + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/117bc66c6f95fa85ca75ecfdb8fbd3615deca0b6 + +--- + src/gpasswd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index a43d9a590..04bed83d6 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -1207,11 +1207,13 @@ int main (int argc, char **argv) + sssd_flush_cache (SSSD_DB_GROUP); + + #ifdef SHADOWGRP +- if (sgent.sg_adm) { +- xfree(sgent.sg_adm); +- } +- if (sgent.sg_mem) { +- xfree(sgent.sg_mem); ++ if (is_shadowgrp) { ++ if (sgent.sg_adm) { ++ xfree(sgent.sg_adm); ++ } ++ if (sgent.sg_mem) { ++ xfree(sgent.sg_mem); ++ } + } + #endif + if (grent.gr_mem) { diff --git a/backport-lib-check-NULL-before-freeing-passwd-data.patch b/backport-lib-check-NULL-before-freeing-passwd-data.patch new file mode 100644 index 0000000..8164fff --- /dev/null +++ b/backport-lib-check-NULL-before-freeing-passwd-data.patch @@ -0,0 +1,70 @@ +From d594243fbbdabc73fdee50886f6dd11867b5cfab Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 18 Nov 2021 16:48:26 +0100 +Subject: [PATCH] lib: check NULL before freeing passwd data + +Add an additional NULL check condition in spw_free() and pw_free() to +avoid freeing an already empty pointer. + +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/d594243fbbdabc73fdee50886f6dd11867b5cfab + +--- + lib/pwmem.c | 18 ++++++++++-------- + lib/shadowmem.c | 12 +++++++----- + 2 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/lib/pwmem.c b/lib/pwmem.c +index 17d2eb219..9f184d5e1 100644 +--- a/lib/pwmem.c ++++ b/lib/pwmem.c +@@ -93,14 +93,16 @@ + + void pw_free (/*@out@*/ /*@only@*/struct passwd *pwent) + { +- free (pwent->pw_name); +- if (pwent->pw_passwd) { +- memzero (pwent->pw_passwd, strlen (pwent->pw_passwd)); +- free (pwent->pw_passwd); ++ if (pwent != NULL) { ++ free (pwent->pw_name); ++ if (pwent->pw_passwd) { ++ memzero (pwent->pw_passwd, strlen (pwent->pw_passwd)); ++ free (pwent->pw_passwd); ++ } ++ free (pwent->pw_gecos); ++ free (pwent->pw_dir); ++ free (pwent->pw_shell); ++ free (pwent); + } +- free (pwent->pw_gecos); +- free (pwent->pw_dir); +- free (pwent->pw_shell); +- free (pwent); + } + +diff --git a/lib/shadowmem.c b/lib/shadowmem.c +index 8989598f8..1d047cc04 100644 +--- a/lib/shadowmem.c ++++ b/lib/shadowmem.c +@@ -79,11 +79,13 @@ + + void spw_free (/*@out@*/ /*@only@*/struct spwd *spent) + { +- free (spent->sp_namp); +- if (NULL != spent->sp_pwdp) { +- memzero (spent->sp_pwdp, strlen (spent->sp_pwdp)); +- free (spent->sp_pwdp); ++ if (spent != NULL) { ++ free (spent->sp_namp); ++ if (NULL != spent->sp_pwdp) { ++ memzero (spent->sp_pwdp, strlen (spent->sp_pwdp)); ++ free (spent->sp_pwdp); ++ } ++ free (spent); + } +- free (spent); + } + diff --git a/backport-libmisc-minimum-id-check-for-system-accounts.patch b/backport-libmisc-minimum-id-check-for-system-accounts.patch new file mode 100644 index 0000000..b899cbb --- /dev/null +++ b/backport-libmisc-minimum-id-check-for-system-accounts.patch @@ -0,0 +1,58 @@ +From d324c6776b3a1d4ac22bced543f72dc5dd366927 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 6 Oct 2022 11:21:18 +0200 +Subject: [PATCH] libmisc: minimum id check for system accounts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The minimum id allocation for system accounts shouldn't be 0 as this is +reserved for root. + +Signed-off-by: Tomáš Mráz +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/d324c6776b3a1d4ac22bced543f72dc5dd366927 + +--- + libmisc/find_new_gid.c | 7 +++++++ + libmisc/find_new_uid.c | 7 +++++++ + 2 files changed, 14 insertions(+) + +diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c +index 666b61078..65ab5d013 100644 +--- a/libmisc/find_new_gid.c ++++ b/libmisc/find_new_gid.c +@@ -60,6 +60,13 @@ static int get_ranges (bool sys_group, gid_t *min_id, gid_t *max_id, + (unsigned long) *max_id); + return EINVAL; + } ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (gid_t) 1; ++ } + } else { + /* Non-system groups */ + +diff --git a/libmisc/find_new_uid.c b/libmisc/find_new_uid.c +index 322d15ab7..5f7e74b53 100644 +--- a/libmisc/find_new_uid.c ++++ b/libmisc/find_new_uid.c +@@ -60,6 +60,13 @@ static int get_ranges (bool sys_user, uid_t *min_id, uid_t *max_id, + (unsigned long) *max_id); + return EINVAL; + } ++ /* ++ * Zero is reserved for root and the allocation algorithm does not ++ * work right with it. ++ */ ++ if (*min_id == 0) { ++ *min_id = (uid_t) 1; ++ } + } else { + /* Non-system users */ + diff --git a/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch b/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch new file mode 100644 index 0000000..4f06e84 --- /dev/null +++ b/backport-man-po-Makefile.in-switch-from-xml2po-to-itstool.patch @@ -0,0 +1,45 @@ +From 02b200c9aa501ad4e1651c553cea1aaf9e5e0f4f Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Sat, 14 Aug 2021 14:24:03 -0500 +Subject: [PATCH] man/po/Makefile.in: switch from xml2po to itstool + +xml2po is deprecated. We've previously replaced xml2po with +itstool in man/generate_translations.mak, but there was still +an instance of it that only is exercised for 'make dist'. +Update that one. Now 'make dist' succeeds on a ubuntu focal +or newer host where xml2po is not available. + +Signed-off-by: Serge Hallyn + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/02b200c9aa501ad4e1651c553cea1aaf9e5e0f4f + +--- + man/po/Makefile.in | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/man/po/Makefile.in b/man/po/Makefile.in +index deaa87058..f194957b4 100644 +--- a/man/po/Makefile.in ++++ b/man/po/Makefile.in +@@ -90,9 +90,17 @@ $(DOMAIN).pot-update: $(XMLFILES) $(srcdir)/XMLFILES remove-potcdate.sed + @set -e; tmpdir=`pwd`; \ + echo "cd $(top_srcdir)/man"; \ + cd $(top_srcdir)/man; \ +- echo "xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES))"; \ +- xml2po --expand-all-entities -o $$tmpdir/$(DOMAIN).po $(notdir $(XMLFILES)); \ +- cd $$tmpdir ++ files=""; \ ++ for file in $(notdir $(XMLFILES)); do \ ++ if grep -q SHADOW-CONFIG-HERE $$file ; then \ ++ sed -e 's/^/%config;/' $$file > $$file.out; \ ++ else \ ++ sed -e 's/^\(/\1 [%config;]>/' $$file > $$file.out; \ ++ fi; \ ++ files="$$files $$file.out"; \ ++ done; \ ++ itstool -d -o $$tmpdir/$(DOMAIN).po $$files; \ ++ cd $$tmpdir; \ + test ! -f $(DOMAIN).po || { \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \ diff --git a/backport-useradd-check-MLS-enablement-before-setting-serange.patch b/backport-useradd-check-MLS-enablement-before-setting-serange.patch new file mode 100644 index 0000000..02d3841 --- /dev/null +++ b/backport-useradd-check-MLS-enablement-before-setting-serange.patch @@ -0,0 +1,60 @@ +From 23634d8de7d01ed65bd70e316d4da4fe4d9b370d Mon Sep 17 00:00:00 2001 +From: genBTC +Date: Tue, 23 Aug 2022 10:25:51 -0400 +Subject: [PATCH] useradd: check MLS enablement before setting serange + Resolves: https://github.com/shadow-maint/shadow/issues/552 + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/23634d8de7d01ed65bd70e316d4da4fe4d9b370d + +--- + lib/semanage.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/lib/semanage.c b/lib/semanage.c +index 54f996238..082a6e8ee 100644 +--- a/lib/semanage.c ++++ b/lib/semanage.c +@@ -122,12 +122,14 @@ static int semanage_user_mod (semanage_handle_t *handle, + goto done; + } + +- ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); +- if (ret != 0) { +- fprintf (shadow_logfd, +- _("Could not set serange for %s\n"), login_name); +- ret = 1; +- goto done; ++ if (semanage_mls_enabled(handle)) { ++ ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf (shadow_logfd, ++ _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } + } + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); +@@ -179,13 +181,14 @@ static int semanage_user_add (semanage_handle_t *handle, + goto done; + } + +- ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); +- if (ret != 0) { +- fprintf (shadow_logfd, +- _("Could not set serange for %s\n"), +- login_name); +- ret = 1; +- goto done; ++ if (semanage_mls_enabled(handle)) { ++ ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); ++ if (ret != 0) { ++ fprintf (shadow_logfd, ++ _("Could not set serange for %s\n"), login_name); ++ ret = 1; ++ goto done; ++ } + } + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); diff --git a/backport-useradd-check-if-subid-range-exists-for-user.patch b/backport-useradd-check-if-subid-range-exists-for-user.patch new file mode 100644 index 0000000..c5c03ad --- /dev/null +++ b/backport-useradd-check-if-subid-range-exists-for-user.patch @@ -0,0 +1,39 @@ +From e0524e813a3bae2891b33a66f35876841c11cee7 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 24 Oct 2022 10:46:36 +0200 +Subject: [PATCH] useradd: check if subid range exists for user + +Check if a user already has a subid range before assigning one. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012929 + +Signed-off-by: Iker Pedrosa + +Conflict: NA +Reference: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 + +--- + src/useradd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/useradd.c b/src/useradd.c +index 7ea0a9c4d..e784d6029 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -2188,14 +2188,14 @@ static void usr_update (unsigned long subuid_count, unsigned long subgid_count) + fail_exit (E_PW_UPDATE); + } + #ifdef ENABLE_SUBIDS +- if (is_sub_uid && ++ if (is_sub_uid && !local_sub_uid_assigned(user_name) && + (sub_uid_add(user_name, sub_uid_start, subuid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), + Prog, sub_uid_dbname ()); + fail_exit (E_SUB_UID_UPDATE); + } +- if (is_sub_gid && ++ if (is_sub_gid && !local_sub_gid_assigned(user_name) && + (sub_gid_add(user_name, sub_gid_start, subgid_count) == 0)) { + fprintf (stderr, + _("%s: failed to prepare the new %s entry\n"), diff --git a/shadow.spec b/shadow.spec index 1019b64..4054b5c 100644 --- a/shadow.spec +++ b/shadow.spec @@ -48,39 +48,43 @@ Patch28: backport-libmisc-add-check-fopen-return-value-in-read_random_.patch Patch29: backport-passwd-erase-password-copy-on-all-error-branches.patch Patch30: backport-chpasswd-add-get_salt-for-generating-salt-value.patch Patch31: backport-chpasswd-fix-function-problem-with-R-parameter.patch -Patch32: backport-Fix-off-by-one-mistakes.patch -Patch33: backport-Fix-typos-in-length-calculations.patch -Patch34: backport-Correctly-handle-illegal-system-file-in-tz.patch -Patch35: backport-Explicitly-override-only-newlines.patch -Patch36: backport-Prevent-out-of-boundary-access.patch -Patch37: backport-Added-control-character-check.patch -Patch38: backport-Overhaul-valid_field.patch -Patch39: backport-Read-whole-line-in-yes_or_no.patch -Patch40: backport-commonio-free-removed-database-entries.patch -Patch41: backport-semanage-disconnect-to-free-libsemanage-internals.patch -Patch42: shadow-Remove-encrypted-passwd-for-useradd-gr.patch -Patch43: backport-process_prefix_flag-Drop-privileges.patch -Patch44: backport-chsh-Verify-that-login-shell-path-is-absolute.patch -Patch45: backport-Plug-econf-memory-leaks.patch -Patch46: backport-def_load-avoid-NULL-deref.patch -Patch47: backport-Check-if-crypt_method-null-before-dereferencing.patch -Patch48: backport-usermod-fix-off-by-one-issues.patch -Patch49: backport-gpasswd-1-Fix-password-leak.patch -Patch50: backport-chgpasswd-fix-segfault-in-command-line-options.patch -Patch51: backport-chpasswd-add-IS_CRYPT_METHOD.patch -Patch52: backport-Fix-yescrypt-support.patch -Patch53: backport-newgrp-fix-potential-string-injection.patch -Patch54: backport-script-to-kill-subjects-processes-from-userdel.patch -Patch55: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch -Patch56: backport-Address-minor-complier-warnings.patch -Patch57: backport-Avoid-races-in-chown_tree.patch -Patch58: backport-Avoid-races-in-copy_tree.patch -Patch59: backport-Avoid-races-in-remove_tree.patch -Patch60: backport-Fail-if-regular-filr-pre-exists-in-copy_tree.patch -Patch61: backport-lib-btrfs-avoid-NULL-dereference.patch -Patch62: backport-More-robust-file-content-copy-in-copy_tree.patch -Patch63: backport-Require-symlink-support.patch -Patch64: backport-run_parts-for-groupadd-and-groupdel.patch +Patch32: backport-script-to-kill-subjects-processes-from-userdel.patch +Patch32: backport-Avoid-races-in-chown_tree.patch +Patch33: backport-Avoid-races-in-remove_tree.patch +Patch34: backport-Require-symlink-support.patch +Patch35: backport-Fail-if-regular-file-pre-exists-in-copy_tree.patch +Patch36: backport-More-robust-file-content-copy-in-copy_tree.patch +Patch37: backport-Address-minor-compiler-warnings.patch +Patch38: backport-Avoid-races-in-copy_tree.patch +Patch39: backport-useradd-check-MLS-enablement-before-setting-serange.patch +Patch40: backport-libmisc-minimum-id-check-for-system-accounts.patch +Patch41: backort-useradd-Fix-buffer-overflow-when-using-a-prefix.patch +Patch42: backport-useradd-check-if-subid-range-exists-for-user.patch +Patch43: backport-Fix-off-by-one-mistakes.patch +Patch44: backport-Fix-typos-in-length-calculations.patch +Patch45: backport-Correctly-handle-illegal-system-file-in-tz.patch +Patch46: backport-Explicitly-override-only-newlines.patch +Patch47: backport-Prevent-out-of-boundary-access.patch +Patch48: backport-Added-control-character-check.patch +Patch49: backport-Overhaul-valid_field.patch +Patch50: backport-Read-whole-line-in-yes_or_no.patch +Patch51: backport-run_parts-for-groupadd-and-groupdel.patch +Patch52: backport-commonio-free-removed-database-entries.patch +Patch53: backport-semanage-disconnect-to-free-libsemanage-internals.patch +Patch54: backport-process_prefix_flag-Drop-privileges.patch +Patch55: backport-chsh-Verify-that-login-shell-path-is-absolute.patch +Patch56: backport-Plug-econf-memory-leaks.patch +Patch57: backport-def_load-avoid-NULL-deref.patch +Patch58: backport-Check-if-crypt_method-null-before-dereferencing.patch +Patch59: backport-usermod-fix-off-by-one-issues.patch +Patch60: backport-gpasswd-1-Fix-password-leak.patch +Patch61: backport-chgpasswd-fix-segfault-in-command-line-options.patch +Patch62: backport-chpasswd-add-IS_CRYPT_METHOD.patch +Patch63: backport-Fix-yescrypt-support.patch +Patch64: backport-newgrp-fix-potential-string-injection.patch +Patch65: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch +Patch66: shadow-Remove-encrypted-passwd-for-useradd-gr.patch + BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel @@ -247,7 +251,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_mandir}/*/* %changelog -* Tue Nov 17 2023 wangyunjia - 2:4.9-14 +* Tue Nov 17 2023 wangqingsan - 2:4.9-14 - backport some patches * Wed Sep 20 2023 wangyunjia - 2:4.9-13 -- Gitee